The CISO of a major gas company wanted to test his blue team's detection and response capabilities and overall readiness for a real attack while also providing them with critical "field training" of hunting and evicting an attacker within the organization's internal network. The main objective here was to be detected in some way and have the blue team track us down and evict us from the network.

Prior to the actual exercise, we conducted several loud scans and password spray attacks externally to "warm up" the blue team and raise their alert level.

Several drop boxes (devices connected to the internal network that provide remote access) were set up ahead of time to be used throughout the exercise.

On the day of the exercise, we began by performing information gathering and enumeration in the network, during which we were detected. Thus began the game of cat and mouse. The blue team tracked us down and isolated our machine successfully.

We then continued the rest of the exercise from our drop box and conducted several privilege escalation attacks. We were able to obtain Domain Admin privileges relatively easily by abusing an ADCS misconfiguration (a vulnerability that unfortunately many companies still fail to address properly). Upon noticing a gap in detection capabilities on that front, we decided to perform more disruptive operations such as locking some blue team accounts and resetting their passwords. This resumed the chase until the blue team eventually managed to physically find our drop box in one of their offices.

Upon the conclusion of the exercise, we collaborated with the blue team to compare our actions and their detections. We shared our notes regarding their areas of strength and the visibility gaps we identified and exploited.

Overall, the exercise was declared a success. The blue team came out stronger and more aware of the visibility gaps in their detection mechanisms. This empowered them to be better prepared for a real incident.